file.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458
  1. /*
  2. * AppArmor security module
  3. *
  4. * This file contains AppArmor mediation of files
  5. *
  6. * Copyright (C) 1998-2008 Novell/SUSE
  7. * Copyright 2009-2010 Canonical Ltd.
  8. *
  9. * This program is free software; you can redistribute it and/or
  10. * modify it under the terms of the GNU General Public License as
  11. * published by the Free Software Foundation, version 2 of the
  12. * License.
  13. */
  14. #include "include/apparmor.h"
  15. #include "include/audit.h"
  16. #include "include/file.h"
  17. #include "include/match.h"
  18. #include "include/path.h"
  19. #include "include/policy.h"
  20. struct file_perms nullperms;
  21. /**
  22. * audit_file_mask - convert mask to permission string
  23. * @buffer: buffer to write string to (NOT NULL)
  24. * @mask: permission mask to convert
  25. */
  26. static void audit_file_mask(struct audit_buffer *ab, u32 mask)
  27. {
  28. char str[10];
  29. char *m = str;
  30. if (mask & AA_EXEC_MMAP)
  31. *m++ = 'm';
  32. if (mask & (MAY_READ | AA_MAY_META_READ))
  33. *m++ = 'r';
  34. if (mask & (MAY_WRITE | AA_MAY_META_WRITE | AA_MAY_CHMOD |
  35. AA_MAY_CHOWN))
  36. *m++ = 'w';
  37. else if (mask & MAY_APPEND)
  38. *m++ = 'a';
  39. if (mask & AA_MAY_CREATE)
  40. *m++ = 'c';
  41. if (mask & AA_MAY_DELETE)
  42. *m++ = 'd';
  43. if (mask & AA_MAY_LINK)
  44. *m++ = 'l';
  45. if (mask & AA_MAY_LOCK)
  46. *m++ = 'k';
  47. if (mask & MAY_EXEC)
  48. *m++ = 'x';
  49. *m = '\0';
  50. audit_log_string(ab, str);
  51. }
  52. /**
  53. * file_audit_cb - call back for file specific audit fields
  54. * @ab: audit_buffer (NOT NULL)
  55. * @va: audit struct to audit values of (NOT NULL)
  56. */
  57. static void file_audit_cb(struct audit_buffer *ab, void *va)
  58. {
  59. struct common_audit_data *sa = va;
  60. kuid_t fsuid = current_fsuid();
  61. if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) {
  62. audit_log_format(ab, " requested_mask=");
  63. audit_file_mask(ab, sa->aad->fs.request);
  64. }
  65. if (sa->aad->fs.denied & AA_AUDIT_FILE_MASK) {
  66. audit_log_format(ab, " denied_mask=");
  67. audit_file_mask(ab, sa->aad->fs.denied);
  68. }
  69. if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) {
  70. audit_log_format(ab, " fsuid=%d",
  71. from_kuid(&init_user_ns, fsuid));
  72. audit_log_format(ab, " ouid=%d",
  73. from_kuid(&init_user_ns, sa->aad->fs.ouid));
  74. }
  75. if (sa->aad->fs.target) {
  76. audit_log_format(ab, " target=");
  77. audit_log_untrustedstring(ab, sa->aad->fs.target);
  78. }
  79. }
  80. /**
  81. * aa_audit_file - handle the auditing of file operations
  82. * @profile: the profile being enforced (NOT NULL)
  83. * @perms: the permissions computed for the request (NOT NULL)
  84. * @gfp: allocation flags
  85. * @op: operation being mediated
  86. * @request: permissions requested
  87. * @name: name of object being mediated (MAYBE NULL)
  88. * @target: name of target (MAYBE NULL)
  89. * @ouid: object uid
  90. * @info: extra information message (MAYBE NULL)
  91. * @error: 0 if operation allowed else failure error code
  92. *
  93. * Returns: %0 or error on failure
  94. */
  95. int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
  96. gfp_t gfp, int op, u32 request, const char *name,
  97. const char *target, kuid_t ouid, const char *info, int error)
  98. {
  99. int type = AUDIT_APPARMOR_AUTO;
  100. struct common_audit_data sa;
  101. struct apparmor_audit_data aad = {0,};
  102. sa.type = LSM_AUDIT_DATA_NONE;
  103. sa.aad = &aad;
  104. aad.op = op,
  105. aad.fs.request = request;
  106. aad.name = name;
  107. aad.fs.target = target;
  108. aad.fs.ouid = ouid;
  109. aad.info = info;
  110. aad.error = error;
  111. if (likely(!sa.aad->error)) {
  112. u32 mask = perms->audit;
  113. if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
  114. mask = 0xffff;
  115. /* mask off perms that are not being force audited */
  116. sa.aad->fs.request &= mask;
  117. if (likely(!sa.aad->fs.request))
  118. return 0;
  119. type = AUDIT_APPARMOR_AUDIT;
  120. } else {
  121. /* only report permissions that were denied */
  122. sa.aad->fs.request = sa.aad->fs.request & ~perms->allow;
  123. if (sa.aad->fs.request & perms->kill)
  124. type = AUDIT_APPARMOR_KILL;
  125. /* quiet known rejects, assumes quiet and kill do not overlap */
  126. if ((sa.aad->fs.request & perms->quiet) &&
  127. AUDIT_MODE(profile) != AUDIT_NOQUIET &&
  128. AUDIT_MODE(profile) != AUDIT_ALL)
  129. sa.aad->fs.request &= ~perms->quiet;
  130. if (!sa.aad->fs.request)
  131. return COMPLAIN_MODE(profile) ? 0 : sa.aad->error;
  132. }
  133. sa.aad->fs.denied = sa.aad->fs.request & ~perms->allow;
  134. return aa_audit(type, profile, gfp, &sa, file_audit_cb);
  135. }
  136. /**
  137. * map_old_perms - map old file perms layout to the new layout
  138. * @old: permission set in old mapping
  139. *
  140. * Returns: new permission mapping
  141. */
  142. static u32 map_old_perms(u32 old)
  143. {
  144. u32 new = old & 0xf;
  145. if (old & MAY_READ)
  146. new |= AA_MAY_META_READ;
  147. if (old & MAY_WRITE)
  148. new |= AA_MAY_META_WRITE | AA_MAY_CREATE | AA_MAY_DELETE |
  149. AA_MAY_CHMOD | AA_MAY_CHOWN;
  150. if (old & 0x10)
  151. new |= AA_MAY_LINK;
  152. /* the old mapping lock and link_subset flags where overlaid
  153. * and use was determined by part of a pair that they were in
  154. */
  155. if (old & 0x20)
  156. new |= AA_MAY_LOCK | AA_LINK_SUBSET;
  157. if (old & 0x40) /* AA_EXEC_MMAP */
  158. new |= AA_EXEC_MMAP;
  159. return new;
  160. }
  161. /**
  162. * compute_perms - convert dfa compressed perms to internal perms
  163. * @dfa: dfa to compute perms for (NOT NULL)
  164. * @state: state in dfa
  165. * @cond: conditions to consider (NOT NULL)
  166. *
  167. * TODO: convert from dfa + state to permission entry, do computation conversion
  168. * at load time.
  169. *
  170. * Returns: computed permission set
  171. */
  172. static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
  173. struct path_cond *cond)
  174. {
  175. struct file_perms perms;
  176. /* FIXME: change over to new dfa format
  177. * currently file perms are encoded in the dfa, new format
  178. * splits the permissions from the dfa. This mapping can be
  179. * done at profile load
  180. */
  181. perms.kill = 0;
  182. if (uid_eq(current_fsuid(), cond->uid)) {
  183. perms.allow = map_old_perms(dfa_user_allow(dfa, state));
  184. perms.audit = map_old_perms(dfa_user_audit(dfa, state));
  185. perms.quiet = map_old_perms(dfa_user_quiet(dfa, state));
  186. perms.xindex = dfa_user_xindex(dfa, state);
  187. } else {
  188. perms.allow = map_old_perms(dfa_other_allow(dfa, state));
  189. perms.audit = map_old_perms(dfa_other_audit(dfa, state));
  190. perms.quiet = map_old_perms(dfa_other_quiet(dfa, state));
  191. perms.xindex = dfa_other_xindex(dfa, state);
  192. }
  193. perms.allow |= AA_MAY_META_READ;
  194. /* change_profile wasn't determined by ownership in old mapping */
  195. if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
  196. perms.allow |= AA_MAY_CHANGE_PROFILE;
  197. if (ACCEPT_TABLE(dfa)[state] & 0x40000000)
  198. perms.allow |= AA_MAY_ONEXEC;
  199. return perms;
  200. }
  201. /**
  202. * aa_str_perms - find permission that match @name
  203. * @dfa: to match against (MAYBE NULL)
  204. * @state: state to start matching in
  205. * @name: string to match against dfa (NOT NULL)
  206. * @cond: conditions to consider for permission set computation (NOT NULL)
  207. * @perms: Returns - the permissions found when matching @name
  208. *
  209. * Returns: the final state in @dfa when beginning @start and walking @name
  210. */
  211. unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
  212. const char *name, struct path_cond *cond,
  213. struct file_perms *perms)
  214. {
  215. unsigned int state;
  216. if (!dfa) {
  217. *perms = nullperms;
  218. return DFA_NOMATCH;
  219. }
  220. state = aa_dfa_match(dfa, start, name);
  221. *perms = compute_perms(dfa, state, cond);
  222. return state;
  223. }
  224. /**
  225. * is_deleted - test if a file has been completely unlinked
  226. * @dentry: dentry of file to test for deletion (NOT NULL)
  227. *
  228. * Returns: %1 if deleted else %0
  229. */
  230. static inline bool is_deleted(struct dentry *dentry)
  231. {
  232. if (d_unlinked(dentry) && d_backing_inode(dentry)->i_nlink == 0)
  233. return 1;
  234. return 0;
  235. }
  236. /**
  237. * aa_path_perm - do permissions check & audit for @path
  238. * @op: operation being checked
  239. * @profile: profile being enforced (NOT NULL)
  240. * @path: path to check permissions of (NOT NULL)
  241. * @flags: any additional path flags beyond what the profile specifies
  242. * @request: requested permissions
  243. * @cond: conditional info for this request (NOT NULL)
  244. *
  245. * Returns: %0 else error if access denied or other error
  246. */
  247. int aa_path_perm(int op, struct aa_profile *profile, struct path *path,
  248. int flags, u32 request, struct path_cond *cond)
  249. {
  250. char *buffer = NULL;
  251. struct file_perms perms = {};
  252. const char *name, *info = NULL;
  253. int error;
  254. flags |= profile->path_flags | (S_ISDIR(cond->mode) ? PATH_IS_DIR : 0);
  255. error = aa_path_name(path, flags, &buffer, &name, &info);
  256. if (error) {
  257. if (error == -ENOENT && is_deleted(path->dentry)) {
  258. /* Access to open files that are deleted are
  259. * give a pass (implicit delegation)
  260. */
  261. error = 0;
  262. info = NULL;
  263. perms.allow = request;
  264. }
  265. } else {
  266. aa_str_perms(profile->file.dfa, profile->file.start, name, cond,
  267. &perms);
  268. if (request & ~perms.allow)
  269. error = -EACCES;
  270. }
  271. error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request, name,
  272. NULL, cond->uid, info, error);
  273. kfree(buffer);
  274. return error;
  275. }
  276. /**
  277. * xindex_is_subset - helper for aa_path_link
  278. * @link: link permission set
  279. * @target: target permission set
  280. *
  281. * test target x permissions are equal OR a subset of link x permissions
  282. * this is done as part of the subset test, where a hardlink must have
  283. * a subset of permissions that the target has.
  284. *
  285. * Returns: %1 if subset else %0
  286. */
  287. static inline bool xindex_is_subset(u32 link, u32 target)
  288. {
  289. if (((link & ~AA_X_UNSAFE) != (target & ~AA_X_UNSAFE)) ||
  290. ((link & AA_X_UNSAFE) && !(target & AA_X_UNSAFE)))
  291. return 0;
  292. return 1;
  293. }
  294. /**
  295. * aa_path_link - Handle hard link permission check
  296. * @profile: the profile being enforced (NOT NULL)
  297. * @old_dentry: the target dentry (NOT NULL)
  298. * @new_dir: directory the new link will be created in (NOT NULL)
  299. * @new_dentry: the link being created (NOT NULL)
  300. *
  301. * Handle the permission test for a link & target pair. Permission
  302. * is encoded as a pair where the link permission is determined
  303. * first, and if allowed, the target is tested. The target test
  304. * is done from the point of the link match (not start of DFA)
  305. * making the target permission dependent on the link permission match.
  306. *
  307. * The subset test if required forces that permissions granted
  308. * on link are a subset of the permission granted to target.
  309. *
  310. * Returns: %0 if allowed else error
  311. */
  312. int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
  313. struct path *new_dir, struct dentry *new_dentry)
  314. {
  315. struct path link = { new_dir->mnt, new_dentry };
  316. struct path target = { new_dir->mnt, old_dentry };
  317. struct path_cond cond = {
  318. d_backing_inode(old_dentry)->i_uid,
  319. d_backing_inode(old_dentry)->i_mode
  320. };
  321. char *buffer = NULL, *buffer2 = NULL;
  322. const char *lname, *tname = NULL, *info = NULL;
  323. struct file_perms lperms, perms;
  324. u32 request = AA_MAY_LINK;
  325. unsigned int state;
  326. int error;
  327. lperms = nullperms;
  328. /* buffer freed below, lname is pointer in buffer */
  329. error = aa_path_name(&link, profile->path_flags, &buffer, &lname,
  330. &info);
  331. if (error)
  332. goto audit;
  333. /* buffer2 freed below, tname is pointer in buffer2 */
  334. error = aa_path_name(&target, profile->path_flags, &buffer2, &tname,
  335. &info);
  336. if (error)
  337. goto audit;
  338. error = -EACCES;
  339. /* aa_str_perms - handles the case of the dfa being NULL */
  340. state = aa_str_perms(profile->file.dfa, profile->file.start, lname,
  341. &cond, &lperms);
  342. if (!(lperms.allow & AA_MAY_LINK))
  343. goto audit;
  344. /* test to see if target can be paired with link */
  345. state = aa_dfa_null_transition(profile->file.dfa, state);
  346. aa_str_perms(profile->file.dfa, state, tname, &cond, &perms);
  347. /* force audit/quiet masks for link are stored in the second entry
  348. * in the link pair.
  349. */
  350. lperms.audit = perms.audit;
  351. lperms.quiet = perms.quiet;
  352. lperms.kill = perms.kill;
  353. if (!(perms.allow & AA_MAY_LINK)) {
  354. info = "target restricted";
  355. goto audit;
  356. }
  357. /* done if link subset test is not required */
  358. if (!(perms.allow & AA_LINK_SUBSET))
  359. goto done_tests;
  360. /* Do link perm subset test requiring allowed permission on link are a
  361. * subset of the allowed permissions on target.
  362. */
  363. aa_str_perms(profile->file.dfa, profile->file.start, tname, &cond,
  364. &perms);
  365. /* AA_MAY_LINK is not considered in the subset test */
  366. request = lperms.allow & ~AA_MAY_LINK;
  367. lperms.allow &= perms.allow | AA_MAY_LINK;
  368. request |= AA_AUDIT_FILE_MASK & (lperms.allow & ~perms.allow);
  369. if (request & ~lperms.allow) {
  370. goto audit;
  371. } else if ((lperms.allow & MAY_EXEC) &&
  372. !xindex_is_subset(lperms.xindex, perms.xindex)) {
  373. lperms.allow &= ~MAY_EXEC;
  374. request |= MAY_EXEC;
  375. info = "link not subset of target";
  376. goto audit;
  377. }
  378. done_tests:
  379. error = 0;
  380. audit:
  381. error = aa_audit_file(profile, &lperms, GFP_KERNEL, OP_LINK, request,
  382. lname, tname, cond.uid, info, error);
  383. kfree(buffer);
  384. kfree(buffer2);
  385. return error;
  386. }
  387. /**
  388. * aa_file_perm - do permission revalidation check & audit for @file
  389. * @op: operation being checked
  390. * @profile: profile being enforced (NOT NULL)
  391. * @file: file to revalidate access permissions on (NOT NULL)
  392. * @request: requested permissions
  393. *
  394. * Returns: %0 if access allowed else error
  395. */
  396. int aa_file_perm(int op, struct aa_profile *profile, struct file *file,
  397. u32 request)
  398. {
  399. struct path_cond cond = {
  400. .uid = file_inode(file)->i_uid,
  401. .mode = file_inode(file)->i_mode
  402. };
  403. return aa_path_perm(op, profile, &file->f_path, PATH_DELEGATE_DELETED,
  404. request, &cond);
  405. }